<!DOCTYPE html>
<html lang="en-US">
<head>
	
<style>.async-hide { opacity: 0 !important} </style> <script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date; h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')}; (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c; })(window,document.documentElement,'async-hide','dataLayer',4000, {'GTM-KC95766':true});</script>

<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KC95766');</script>





    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <link rel="icon" type="image/png" href="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/fav.png" />
     
    <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=128260767783916&ev=PageView&noscript=1" /></noscript> 
     
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	
	<title>Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware</title>
	<meta name="description" content="A new Linux malware we&#039;re calling Lightning Framework has modular plugins and the ability to install multiple types of rootkits." />
	<link rel="canonical" href="https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:description" content="A new Linux malware we&#039;re calling Lightning Framework has modular plugins and the ability to install multiple types of rootkits." />
	<meta property="og:url" content="https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" />
	<meta property="og:site_name" content="Intezer" />
	<meta property="article:publisher" content="https://www.facebook.com/IntezerLabs/" />
	<meta property="article:published_time" content="2022-07-21T07:00:00+00:00" />
	<meta property="article:modified_time" content="2022-07-21T13:59:43+00:00" />
	<meta property="og:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/lightning-linux-threat-blog-1.png" />
	<meta property="og:image:width" content="1024" />
	<meta property="og:image:height" content="475" />
	<meta property="og:image:type" content="image/png" />
	<meta name="author" content="Ryan Robinson" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:title" content="Lightning Framework: New “Swiss Army Knife” Linux Malware" />
	<meta name="twitter:description" content="A new Linux malware we&#039;re calling Lightning Framework has modular plugins and the ability to install multiple types of rootkits." />
	<meta name="twitter:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/lightning-linux-threat-blog-1.png" />
	<meta name="twitter:creator" content="@IntezerLabs" />
	<meta name="twitter:site" content="@IntezerLabs" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Ryan Robinson" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="11 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.intezer.com/#organization","name":"Intezer","url":"https://www.intezer.com/","sameAs":["https://www.linkedin.com/company/intezer-labs/","https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ","https://www.facebook.com/IntezerLabs/","https://twitter.com/IntezerLabs"],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.intezer.com/#/schema/logo/image/","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","width":512,"height":512,"caption":"Intezer"},"image":{"@id":"https://www.intezer.com/#/schema/logo/image/"}},{"@type":"WebSite","@id":"https://www.intezer.com/#website","url":"https://www.intezer.com/","name":"Intezer","description":"","publisher":{"@id":"https://www.intezer.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.intezer.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/#primaryimage","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/lightning-linux-threat-blog-1.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/lightning-linux-threat-blog-1.png","width":1024,"height":475},{"@type":"WebPage","@id":"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/#webpage","url":"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/","name":"Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware","isPartOf":{"@id":"https://www.intezer.com/#website"},"primaryImageOfPage":{"@id":"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/#primaryimage"},"datePublished":"2022-07-21T07:00:00+00:00","dateModified":"2022-07-21T13:59:43+00:00","description":"A new Linux malware we're calling Lightning Framework has modular plugins and the ability to install multiple types of rootkits.","breadcrumb":{"@id":"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"]}]},{"@type":"BreadcrumbList","@id":"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.intezer.com/"},{"@type":"ListItem","position":2,"name":"Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware &#x26a1;"}]},{"@type":"Article","@id":"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/#article","isPartOf":{"@id":"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/#webpage"},"author":{"name":"Ryan Robinson","@id":"https://www.intezer.com/#/schema/person/e878050c53f2adf13335dba35509a7e5"},"headline":"Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware &#x26a1;","datePublished":"2022-07-21T07:00:00+00:00","dateModified":"2022-07-21T13:59:43+00:00","mainEntityOfPage":{"@id":"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/#webpage"},"wordCount":1594,"publisher":{"@id":"https://www.intezer.com/#organization"},"image":{"@id":"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/#primaryimage"},"thumbnailUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/lightning-linux-threat-blog-1.png","keywords":["Lightning Framework","Linux","Malware Analysis","Research"],"articleSection":["Research"],"inLanguage":"en-US"},{"@type":"Person","@id":"https://www.intezer.com/#/schema/person/e878050c53f2adf13335dba35509a7e5","name":"Ryan Robinson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.intezer.com/#/schema/person/image/","url":"https://secure.gravatar.com/avatar/bcffd0d5fb19e965b1ecdbca0e5f51f5?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/bcffd0d5fb19e965b1ecdbca0e5f51f5?s=96&d=mm&r=g","caption":"Ryan Robinson"},"description":"Ryan is a security researcher analyzing malware and scripting. Formerly, he was a researcher on Anomali's Threat Research Team.","url":"https://www.intezer.com/author/ryanrobinson/"}]}</script>
	


<link rel='dns-prefetch' href='//static.addtoany.com' />
<link rel='dns-prefetch' href='//js.hs-scripts.com' />
<link rel='dns-prefetch' href='//www.google.com' />
<link rel='dns-prefetch' href='//c0.wp.com' />
<link href='https://fonts.gstatic.com' crossorigin rel='preconnect' />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Feed" href="https://www.intezer.com/feed/" />
<link rel='stylesheet' id='wp-block-library-css'  href='https://c0.wp.com/c/6.0.1/wp-includes/css/dist/block-library/style.min.css' media='all' />
<style id='wp-block-library-inline-css' type='text/css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='prismatic-blocks-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/css/styles-blocks.css?ver=a64767dca95350331dd63d1543147965' media='all' />
<link rel='stylesheet' id='mediaelement-css'  href='https://c0.wp.com/c/6.0.1/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css'  href='https://c0.wp.com/c/6.0.1/wp-includes/js/mediaelement/wp-mediaelement.min.css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='contact-form-7-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.6' media='all' />
<link rel='stylesheet' id='prismatic-highlight-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/lib/highlight/css/default.css?ver=3.1.1' media='all' />
<link rel='stylesheet' id='bootstrap_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/bootstrap.css?ver=a64767dca95350331dd63d1543147965' media='all' />
<link rel='stylesheet' id='fontawesome_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/font-awesome.min.css?ver=a64767dca95350331dd63d1543147965' media='all' />
<link rel='stylesheet' id='main_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/style.css?ver=1658606359' media='all' />
<link rel='stylesheet' id='wpdreams-asl-basic-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style.basic.css?ver=4.10' media='all' />
<link rel='stylesheet' id='wpdreams-ajaxsearchlite-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style-curvy-blue.css?ver=4.10' media='all' />
<link rel='stylesheet' id='slb_core-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/css/app.css?ver=2.8.1' media='all' />
<link rel='stylesheet' id='addtoany-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.16' media='all' />
<link rel='stylesheet' id='cf7cf-style-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/style.css?ver=2.2' media='all' />
<link   rel='preload' as='style' data-wpacu-preload-it-async='1' onload="this.onload=null;this.rel='stylesheet'" id='wpacu-preload-jetpack_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=11.2-a.5' media='all' />






<link rel="https://api.w.org/" href="https://www.intezer.com/wp-json/" /><link rel="alternate" type="application/json" href="https://www.intezer.com/wp-json/wp/v2/posts/27200" />			
			
			
			<style>img#wpstats{display:none}</style>
					<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
				<link rel="preload" as="style" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" />
				<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" media="all" />
				                <style>
                    
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label {
						font-size: 0px !important;
						color: rgba(0, 0, 0, 0);
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label:after {
						font-size: 11px !important;
						position: absolute;
						top: 0;
						left: 0;
						z-index: 1;
					}
					.asl_w_container {
						width: 100%;
						margin: 0px 0px 14px 0px;
					}
					div[id*='ajaxsearchlite'].asl_m {
						width: 100%;
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results div.resdrg span.highlighted {
						font-weight: bold;
						color: rgba(48, 138, 255, 1);
						background-color: rgb(255, 255, 255);
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results .results div.asl_image {
						width: 84px;
						height: 60px;
						background-size: cover;
						background-repeat: no-repeat;
					}
					div.asl_r .results {
						max-height: none;
					}
				
						.asl_m .probox svg {
							fill: rgba(204, 216, 228, 1) !important;
						}
						.asl_m .probox .innericon {
							background-color: rgba(255, 255, 255, 1) !important;
							background-image: none !important;
							-webkit-background-image: none !important;
							-ms-background-image: none !important;
						}
					
						div.asl_m.asl_w {
							border:1px solid rgba(48, 138, 255, 1) !important;border-radius:7px 7px 7px 7px !important;
							box-shadow: none !important;
						}
						div.asl_m.asl_w .probox {border: none !important;}
					
						div.asl_r.asl_w.vertical .results .item::after {
							display: block;
							position: absolute;
							bottom: 0;
							content: '';
							height: 1px;
							width: 100%;
							background: #D8D8D8;
						}
						div.asl_r.asl_w.vertical .results .item.asl_last_item::after {
							display: none;
						}
					 div.asl_m.asl_w {
    margin: auto;
    max-width: 820px;
}
div.asl_w .probox .promagnifier {
    order: 1;
}
div.asl_r .results .item .asl_content h3, div.asl_r .results .item .asl_content h3 a {
    font-weight: 600;
    color: #233b52;
}

div.asl_r .results .item .asl_content h3 a:hover {
    font-weight: 600;
    color: #233b52;
}

.wpdreams_asl_results .results div.asl_image {
    border-radius: 7px;
}

p.asl_desc {
    color: #849eb5;
}
span.asl_nores_header {
    font-size: 14px;
}                </style>
                <link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-32x32.png" sizes="32x32" />
<link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-180x180.png" />
<meta name="msapplication-TileImage" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-270x270.png" />
<link rel="stylesheet" type="text/css" id="wp-custom-css" href="https://www.intezer.com/?custom-css=affedbe262" />



</head>

<body class="post-template-default single single-post postid-27200 single-format-standard wp-custom-logo lightning-framework-new-linux-threat elementor-default elementor-kit-8921">
<script> (function(ss,ex){ window.ldfdr=window.ldfdr||function(){(ldfdr._q=ldfdr._q||[]).push([].slice.call(arguments));}; (function(d,s){ fs=d.getElementsByTagName(s)[0]; function ce(src){ var cs=d.createElement(s); cs.src=src; cs.async=1; fs.parentNode.insertBefore(cs,fs); }; ce('https://sc.lfeeder.com/lftracker_v1_'+ss+(ex?'_'+ex:'')+'.js'); })(document,'script'); })('YEgkB8lPLLw8ep3Z'); </script>
<script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '128260767783916'); // Insert your pixel ID here. fbq('track', 'PageView'); </script>
<script   type='text/javascript' id='addtoany-core-js-before'>
window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};
</script>
<script   type='text/javascript' async src='https://static.addtoany.com/menu/page.js' id='addtoany-core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/jquery-3.2.1.min.js?ver=a64767dca95350331dd63d1543147965' id='jquery-js'></script>
<script   data-wpacu-apply-media-query='screen and (min-width: 1024px)' type='text/javascript' async wpacu-addtoany-jquery-src='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.js?ver=1.1' id='addtoany-jquery-js'></script>
<script>
function wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var) {
    if (wpacu_addtoany_jquery_match_media_var.matches) {
        var wpacuSrcAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
        document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('src', wpacuSrcAttr); 
    }
}
try { var wpacu_addtoany_jquery_match_media_var = window.matchMedia("screen and (min-width: 1024px)"); wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var); wpacu_addtoany_jquery_match_media_var.addListener(wpacu_addtoany_jquery_match_media); }
catch (wpacuError) {
  	var wpacuHrefAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
    document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('href', wpacuHrefAttr); 
}
</script>
<script type='text/javascript' id='media-video-jwt-bridge-js-extra'>
/* <![CDATA[ */
var videopressAjax = {"ajaxUrl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","bridgeUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/jetpack\/modules\/videopress\/js\/videopress-token-bridge.js","post_id":"27200"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/modules/videopress/js/videopress-token-bridge.js?ver=6' id='media-video-jwt-bridge-js'></script>
<script type="text/javascript">
				var _hsq = _hsq || [];
				_hsq.push(["setContentId", "blog-post"]);
			</script>
<script id="wpacu-preload-async-css-fallback">
/*! LoadCSS. [c]2020 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/
(function(w){"use strict";var wpacuLoadCSS=function(href,before,media,attributes){var doc=w.document;var ss=doc.createElement('link');var ref;if(before){ref=before}else{var refs=(doc.body||doc.getElementsByTagName('head')[0]).childNodes;ref=refs[refs.length-1]}
var sheets=doc.styleSheets;if(attributes){for(var attributeName in attributes){if(attributes.hasOwnProperty(attributeName)){ss.setAttribute(attributeName,attributes[attributeName])}}}
ss.rel="stylesheet";ss.href=href;ss.media="only x";function ready(cb){if(doc.body){return cb()}
setTimeout(function(){ready(cb)})}
ready(function(){ref.parentNode.insertBefore(ss,(before?ref:ref.nextSibling))});var onwpaculoadcssdefined=function(cb){var resolvedHref=ss.href;var i=sheets.length;while(i--){if(sheets[i].href===resolvedHref){return cb()}}
setTimeout(function(){onwpaculoadcssdefined(cb)})};function loadCB(){if(ss.addEventListener){ss.removeEventListener("load",loadCB)}
ss.media=media||"all"}
if(ss.addEventListener){ss.addEventListener("load",loadCB)}
ss.onwpaculoadcssdefined=onwpaculoadcssdefined;onwpaculoadcssdefined(loadCB);return ss};if(typeof exports!=="undefined"){exports.wpacuLoadCSS=wpacuLoadCSS}else{w.wpacuLoadCSS=wpacuLoadCSS}}(typeof global!=="undefined"?global:this))
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=AW-725468766"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'AW-725468766');
</script>


<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KC95766"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

    <div class="background-pop"></div>
    <header id="header">
        <nav class="navbar navbar-toggleable-sm navbar-inverse bg-faded fixed-top" id="main-menu">
                <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse"
                        data-target="#top-navbar" aria-controls="top-navbar" aria-expanded="false"
                        aria-label="Toggle navigation">
                    <span class="navbar-toggler-icon"></span>
                </button>
                <a class="navbar-brand" href="https://www.intezer.com/">
                    <a class="logo-link" href="https://www.intezer.com"><img class="logo-img" width="100" height="25" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/intezer-logo-n.png" alt="intezer"></a>                </a>
                <div class="collapse navbar-collapse" id="top-navbar">
                    <ul id="menu-top-menu" class="navbar-nav ml-auto"><li id="menu-item-13604" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13604 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Product</a></li>
<li id="menu-item-131" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-131 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15962" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15962 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-1368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1368 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15894" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15894 nav-item"><a class="nav-link" target="_blank" href="https://support.intezer.com/hc/en-us/categories/360002970919-Intezer-Analyze-Malware-Analysis-Platform">Docs</a></li>
</ul>
</li>
<li id="menu-item-20994" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20994 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-70" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-114" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-114 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-3061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3061 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7096" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7096 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8417" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8417 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
<li id="menu-item-22200" class="desktop-login menu-item menu-item-type-custom menu-item-object-custom menu-item-22200 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/sign-in/?utm_campaign=login-btn&#038;utm_source=intezer">Log in</a></li>
<li id="menu-item-1028" class="try-now desktop-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-1028 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Start Now for Free"></span>&nbsp;Start Now for Free</a></li>
<li id="menu-item-5106" class="try-now mobile-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-5106 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Start Now for Free"></span>&nbsp;Start Now for Free</a></li>
</ul>                  
                </div>

        </nav>
     </header>
<div class="popup"><div role="form" class="wpcf7" id="wpcf7-f468-o1" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/research/lightning-framework-new-linux-threat/#wpcf7-f468-o1" method="post" class="wpcf7-form init clearfix" novalidate="novalidate" data-status="init" id="request-demo-form">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="468" />
<input type="hidden" name="_wpcf7_version" value="5.6" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f468-o1" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="[]" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:468,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap" data-name="FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap" data-name="LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap" data-name="JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap" data-name="Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap" data-name="EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap" data-name="mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value=""></option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova">Moldova</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania">Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Vietnam">Vietnam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap" data-name="mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Phone</span><br />
<span class="wpcf7-form-control-wrap" data-name="mx_phone"><input type="tel" name="mx_phone" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-tel wpcf7-validates-as-required wpcf7-validates-as-tel w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field">
<input type="submit" value="Submit" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p><script>
document.addEventListener( 'wpcf7mailsent', function( event ) {
 window.dataLayer.push({
 "event" : "request-submission",
 "formId" : event.detail.contactFormId,
 "response" : event.detail.inputs
 })
}); 
</script></p>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div></div>



<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
  },
  "headline": "Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware &#x26a1;",
  "image": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/lightning-linux-threat-blog-1.png",  
  "author": {
    "@type": "Organization",
    "name": "Intezer"
  },  
  "publisher": {
    "@type": "Organization",
    "name": "Intezer",
    "logo": {
      "@type": "ImageObject",
      "url": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/02/Round-Logo-60x60.jpg",
      "width": 50,
      "height": 50
    }
  },
  "datePublished": "2022-07-21"
}
</script>





	<div id="primary" class="content-area">
	    <div class="container">
		    <div class="single-post-page">
				<h1 class="entry-title t-dianne">Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware &#x26a1;</h1><div class="row top-meta"><div class="col-md-12"><div class="author-box clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/06/Screenshot_20210616-173955_Photos-e1623935903273-60x60.jpg" class="user-photo"><div class="user-bio"><span class="author-light">Written by </span><span class="author-name"> Ryan Robinson</span><span class="author-date"> - 21 July 2022</span></div></div></div><div class="main-blog-image"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/lightning-linux-threat-blog-1.png" class="featured-img"></div></div><div class="row blog-cont"><div class="col-md-2 blog-side"><div class="blog-side-subscribe"><div role="form" class="wpcf7" id="wpcf7-f25657-o2" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/research/lightning-framework-new-linux-threat/#wpcf7-f25657-o2" method="post" class="wpcf7-form init" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="25657" />
<input type="hidden" name="_wpcf7_version" value="5.6" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f25657-o2" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="[]" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:25657,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div id ="email-field" class="cf-field cf-field-left">
<span class="wpcf7-form-control-wrap" data-name="EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" placeholder="Business Email" /></span>
</div>
<div class="cf-field cf-field-left cf-fname">
<span class="wpcf7-form-control-wrap" data-name="FullName"><input type="text" name="FullName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" placeholder="Full Name" /></span>
</div>
<div class="cf-field cf-company">
<span class="wpcf7-form-control-wrap" data-name="Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" placeholder="Company" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="wpcf7-form-control-wrap" data-name="JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Job Title" /></span>
</div>
<div class="cf-field">
<span class="wpcf7-form-control-wrap" data-name="mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Country</option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova, Republic of">Moldova, Republic of</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania; officially the United Republic of Tanzania">Tanzania; officially the United Republic of Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Viet Nam">Viet Nam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap" data-name="mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-submit">
<input type="submit" value="Subscribe" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div><div class="side-blog-share"">Share article<div class="a2a_kit a2a_kit_size_ addtoany_list" data-a2a-url="https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" data-a2a-title="Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware ⚡"><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Flightning-framework-new-linux-threat%2F&amp;linkname=Lightning%20Framework%3A%20New%20Undetected%20%E2%80%9CSwiss%20Army%20Knife%E2%80%9D%20Linux%20Malware%20%E2%9A%A1" title="Facebook" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/facebook.png" alt="Facebook"></a><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Flightning-framework-new-linux-threat%2F&amp;linkname=Lightning%20Framework%3A%20New%20Undetected%20%E2%80%9CSwiss%20Army%20Knife%E2%80%9D%20Linux%20Malware%20%E2%9A%A1" title="Twitter" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/twitter.png" alt="Twitter"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Flightning-framework-new-linux-threat%2F&amp;linkname=Lightning%20Framework%3A%20New%20Undetected%20%E2%80%9CSwiss%20Army%20Knife%E2%80%9D%20Linux%20Malware%20%E2%9A%A1" title="LinkedIn" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/linkedin.png" alt="LinkedIn"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Flightning-framework-new-linux-threat%2F&amp;linkname=Lightning%20Framework%3A%20New%20Undetected%20%E2%80%9CSwiss%20Army%20Knife%E2%80%9D%20Linux%20Malware%20%E2%9A%A1" title="Reddit" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/reddit.png" alt="Reddit"></a><a class="a2a_button_copy_link" href="https://www.addtoany.com/add_to/copy_link?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Flightning-framework-new-linux-threat%2F&amp;linkname=Lightning%20Framework%3A%20New%20Undetected%20%E2%80%9CSwiss%20Army%20Knife%E2%80%9D%20Linux%20Malware%20%E2%9A%A1" title="Copy Link" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/link.png" alt="Copy Link"></a></div></div><div class="side-blog-btn side-blog-btn-fancy"><a class="blog-side-join blog-side-cta" href="https://analyze.intezer.com/"><img src="/wp-content/uploads/2022/03/intezer-cube.png"/><h3>Get Free Account</h3><div class="join-btn">Join Now</div></a></div>        <div class="top-posts">
            <h3>Top Blogs</h3>
            <div class="top-posts-cont owl-carousel"  id="owlposts" >
                    	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/">OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow</a>
                    </h4>
				                    <span class="post-excerpt">Linux is a popular operating system for servers and cloud infrastructures, and as such it’s...</span>	
                    <a href="https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/research/new-linux-threat-symbiote/">Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat</a>
                    </h4>
				                    <span class="post-excerpt">Symbiote is a new Linux® malware we discovered that acts in a parasitic nature, infecting...</span>	
                    <a href="https://www.intezer.com/blog/research/new-linux-threat-symbiote/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/">Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations </a>
                    </h4>
				                    <span class="post-excerpt">A recently developed malware framework called Elephant is being delivered in targeted spear phishing campaigns...</span>	
                    <a href="https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/" class="top-more">Read more</a>
        		</div>
        	            </div>
        </div>
<link rel="stylesheet" href="/wp-content/themes/intezer-v2/css/owl.carousel.min.css">
<script type="text/javascript" src="/wp-content/themes/intezer-v2/js/owl.carousel.min.js"></script>
 <script type="text/javascript">

     $(document).ready(function() {
	 
  $("#owlposts").owlCarousel({
            items: 1,
            loop: true,
	  dots: true,
            center: true,
            margin: 0,
            rewind: false,
            autoplay: true,
            autoplayTimeout: 6000,
	  animateIn: 'fadeIn',
              animateOut: 'fadeOut',
      responsive:{
        0:{
            items:1
        },
        600:{
            items:1
        }
      },
      //onInitialized:setDots,
      //onChanged:setDots

        });
		 });




			       
	</script>
</div></div><div class="col-md-9 blog-main"><div class="single-post-content">
<p><em>Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the ability to install rootkits.</em></p>



<p>Year after year Linux environments increasingly become the target of malware due to continued threat actor interest in the space. Malware targeting Linux environments surged in 2021, with a large amount of innovation <a href="https://www.ibm.com/downloads/cas/ADLMYLAZ" target="_blank" rel="noreferrer noopener nofollow">resulting in new malicious code</a>, especially in ransomwares, trojans, and botnets. With the rise in use of the cloud, it is no wonder that malware innovation is still accelerating at breakneck speed in this realm.</p>



<p>This is a technical analysis of a previously undocumented and undetected Linux threat called the <em>Lightning Framework</em>. It is rare to see such an intricate framework developed for targeting Linux systems. Lightning is a modular framework we discovered that has a plethora of capabilities, and the ability to install multiple types of rootkit, as well as the capability to run plugins. The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration. We are releasing this blog for informational purposes. We do not have all the files that are referenced in the framework, but hope that this release will help others if they possess other pieces of the jigsaw puzzle. We have not observed this malware being used in attacks in the wild.</p>



<h2 class="has-text-align-left" id="h-technical-analysis-of-lightning-framework">Technical Analysis of Lightning Framework</h2>



<p>The framework consists of a downloader and core module, with a number of plugins. Some of the plugins used by the malware are open-source tools. Below is a figure of the framework layout:</p>



<figure class="wp-block-image size-large"><a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/1-Lightning-framework-new-linux-threat.jpg" data-slb-group="post-images" data-slb-active="1" data-slb-asset="1046471143" data-slb-internal="0"><img width="1530" height="738" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/1-Lightning-framework-new-linux-threat-1530x738.jpg" alt="Lightning framework new linux threat" class="wp-image-27206" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/1-Lightning-framework-new-linux-threat-1530x738.jpg 1530w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/1-Lightning-framework-new-linux-threat-300x145.jpg 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/1-Lightning-framework-new-linux-threat-768x371.jpg 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/1-Lightning-framework-new-linux-threat-1536x741.jpg 1536w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/1-Lightning-framework-new-linux-threat.jpg 1979w " sizes="(max-width: 1530px) 100vw, 1530px" /></a></figure>



<h2 id="h-overview-of-the-modules">Overview of the Modules</h2>



<figure class="wp-block-table"><table><tbody><tr><td class="has-text-align-left" data-align="left"><strong>Name</strong></td><td class="has-text-align-left" data-align="left"><strong>Name on Disk</strong></td><td class="has-text-align-left" data-align="left"><strong>Description</strong></td></tr><tr><td class="has-text-align-left" data-align="left">Lightning.Downloader</td><td class="has-text-align-left" data-align="left">kbioset</td><td class="has-text-align-left" data-align="left">The persistent module that downloads the core module and its plugins</td></tr><tr><td class="has-text-align-left" data-align="left">Lightning.Core</td><td class="has-text-align-left" data-align="left">kkdmflush</td><td class="has-text-align-left" data-align="left">The main module of the Lightning Framework</td></tr><tr><td class="has-text-align-left" data-align="left">Linux.Plugin.Lightning.SsHijacker</td><td class="has-text-align-left" data-align="left">soss</td><td class="has-text-align-left" data-align="left">There is a reference to this module but no sample found in the wild yet.</td></tr><tr><td class="has-text-align-left" data-align="left">Linux.Plugin.Lightning.Sshd</td><td class="has-text-align-left" data-align="left">sshod</td><td class="has-text-align-left" data-align="left">OpenSSH with hardcoded private and host keys</td></tr><tr><td class="has-text-align-left" data-align="left">Linux.Plugin.Lightning.Nethogs</td><td class="has-text-align-left" data-align="left">nethoogs</td><td class="has-text-align-left" data-align="left">There is a reference to this module but no sample found in the wild yet. Presumably the software <a href="https://github.com/raboof/nethogs" target="_blank" rel="noreferrer noopener nofollow">Nethogs</a></td></tr><tr><td class="has-text-align-left" data-align="left">Linux.Plugin.Lightning.iftop</td><td class="has-text-align-left" data-align="left">iftoop</td><td class="has-text-align-left" data-align="left">There is a reference to this module but no sample found in the wild yet. Presumably the software <a href="https://linux.die.net/man/8/iftop" target="_blank" rel="noreferrer noopener nofollow">iftop</a></td></tr><tr><td class="has-text-align-left" data-align="left">Linux.Plugin.Lightning.iptraf</td><td class="has-text-align-left" data-align="left">iptraof</td><td class="has-text-align-left" data-align="left">There is a reference to this module but no sample found in the wild yet. Presumably the software <a href="http://iptraf.seul.org/" target="_blank" rel="noreferrer noopener nofollow">IPTraf</a></td></tr><tr><td class="has-text-align-left" data-align="left">Linux.Plugin.RootkieHide</td><td class="has-text-align-left" data-align="left">libsystemd.so.2</td><td class="has-text-align-left" data-align="left">There is a reference to this module but no sample found in the wild yet. LD_PRELOAD Rootkit</td></tr><tr><td class="has-text-align-left" data-align="left">Linux.Plugin.Kernel</td><td class="has-text-align-left" data-align="left">elastisearch.ko</td><td class="has-text-align-left" data-align="left">There is a reference to this module but no sample found in the wild yet. LKM Rootkit</td></tr></tbody></table></figure>



<h2 id="h-lightning-downloader">Lightning.Downloader</h2>



<p>The main function of the downloader module is to fetch the other components and execute the core module.</p>



<figure class="wp-block-image size-large"><a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/2-lightning-framework-downloader-analysis.png" data-slb-group="post-images" data-slb-active="1" data-slb-asset="430432276" data-slb-internal="0"><img loading="lazy" width="1530" height="650" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/2-lightning-framework-downloader-analysis-1530x650.png" alt="Lightning framework downloader result in Intezer Analyze" class="wp-image-27207" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/2-lightning-framework-downloader-analysis-1530x650.png 1530w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/2-lightning-framework-downloader-analysis-300x127.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/2-lightning-framework-downloader-analysis-768x326.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/2-lightning-framework-downloader-analysis-1536x652.png 1536w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/2-lightning-framework-downloader-analysis.png 1999w " sizes="(max-width: 1530px) 100vw, 1530px" /></a><figcaption>Lightning Downloader <a href="https://analyze.intezer.com/files/48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7">re</a><a href="https://analyze.intezer.com/files/48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7" target="_blank" rel="noreferrer noopener">s</a><a href="https://analyze.intezer.com/files/48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7">ult</a> in Intezer Analyze</figcaption></figure>



<p>The downloader module starts by checking if it is located in the working directory <em><code>/usr/lib64/seahorses/</code></em> under the name <em><code>kbioset</code></em>. The framework makes heavy use of typosquatting and masquerading in order to remain undetected. The reference to <em>seahorses </em>masquerades the password and key manager software <a href="https://gitlab.gnome.org/GNOME/seahorse" target="_blank" rel="noreferrer noopener nofollow"><em>seahorse</em></a>. If not it will relocate itself to that working directory and execute that copy. The downloader will fingerprint the host name and network adapters to generate a GUID, which will be sent to the command and control (C2) server.&nbsp;</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="1446" height="1056" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/3-ida-pro-building-GUID.png" alt="" class="wp-image-27208" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/3-ida-pro-building-GUID.png 1446w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/3-ida-pro-building-GUID-300x219.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/3-ida-pro-building-GUID-768x561.png 768w " sizes="(max-width: 1446px) 100vw, 1446px" /><figcaption>Building the GUID</figcaption></figure>



<p>The downloader will then contact the C2 to fetch the following modules and plugins:</p>



<ul><li>Linux.Plugin.Lightning.SsHijacker</li><li>Linux.Plugin.Lightning.Sshd</li><li>Linux.Plugin.Lightning.Nethogs</li><li>Linux.Plugin.Lightning.iftop</li><li>Linux.Plugin.Lightning.iptraf</li><li>Lightning.Core</li></ul>



<figure class="wp-block-image size-full"><img loading="lazy" width="1474" height="944" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/4-resources-from-C2.png" alt="" class="wp-image-27209" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/4-resources-from-C2.png 1474w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/4-resources-from-C2-300x192.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/4-resources-from-C2-768x492.png 768w " sizes="(max-width: 1474px) 100vw, 1474px" /><figcaption>Resources fetched from the C2</figcaption></figure>



<p>The method of contacting the C2 will be described below in the malleable C2 section (click here to jump to that section). The downloader will then execute the core module (kkdmflush).&nbsp;</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="1140" height="754" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/5-execution-of-Lightning-core.png" alt="lightning framework excution of core module" class="wp-image-27210" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/5-execution-of-Lightning-core.png 1140w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/5-execution-of-Lightning-core-300x198.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/5-execution-of-Lightning-core-768x508.png 768w " sizes="(max-width: 1140px) 100vw, 1140px" /><figcaption>Execution of the core module</figcaption></figure>



<h2 id="h-lightning-core">Lightning.Core</h2>



<p>The core module is the main module in this framework, it is able to receive commands from the C2 and execute the plugin modules. The module has many capabilities and uses a number of techniques to <a href="https://attack.mitre.org/techniques/T1564/" target="_blank" rel="noreferrer noopener nofollow">hide artifacts</a> to remain running under the radar.&nbsp;</p>



<p>The core module modifies the name of the calling thread of the module to <em>kdmflush</em>, to make it appear that it is a kernel thread.&nbsp;</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="758" height="436" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/6-prctl-to-modify-calling-thread.png" alt="" class="wp-image-27211" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/6-prctl-to-modify-calling-thread.png 758w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/6-prctl-to-modify-calling-thread-300x173.png 300w " sizes="(max-width: 758px) 100vw, 758px" /><figcaption>Using prctl to modify calling thread name</figcaption></figure>



<p>Next the core module sets up persistence by creating a script that is executed upon system <a href="https://attack.mitre.org/techniques/T1037/" target="_blank" rel="noreferrer noopener nofollow">boot</a>. This is achieved by first creating a file located at <em><code>/etc/rc.d/init.d/elastisearch</code></em>. The name appears to typosquat <em>elasticsearch</em>. The following contents are written to the file:</p>



<pre class="wp-block-prismatic-blocks"><code class="language-">#!/bin/bash
# chkconfig:2345 90 20
/usr/lib64/seahorses/kbioset &amp;</code></pre>



<p>This script will execute the downloader module upon boot. The service is then added using the <em><code>chkconfig</code></em> utility.&nbsp;</p>



<figure class="wp-block-image size-full"><a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/7-initd-script-and-service.png" data-slb-group="post-images" data-slb-active="1" data-slb-asset="1334702485" data-slb-internal="0"><img loading="lazy" width="1448" height="1046" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/7-initd-script-and-service.png" alt="" class="wp-image-27212" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/7-initd-script-and-service.png 1448w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/7-initd-script-and-service-300x217.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/7-initd-script-and-service-768x555.png 768w " sizes="(max-width: 1448px) 100vw, 1448px" /></a><figcaption>Creation of the init.d script and service</figcaption></figure>



<p>The timestamp of the file is modified to hide artifacts, a technique known as “<a href="https://attack.mitre.org/techniques/T1070/006/" target="_blank" rel="noreferrer noopener nofollow">timestomping</a>”. The file has its last modified time edited to match that of either <em><code>whoami</code></em>, <em><code>find</code></em>, or <em><code>su</code></em>. It will look for each file respectively until it finds one. This technique is used for most of the files that the framework creates.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="1426" height="1102" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/8-file-timestampe-mod.png" alt="" class="wp-image-27213" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/8-file-timestampe-mod.png 1426w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/8-file-timestampe-mod-300x232.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/8-file-timestampe-mod-768x594.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/8-file-timestampe-mod-310x240.png 310w " sizes="(max-width: 1426px) 100vw, 1426px" /><figcaption>File timestamp modification function</figcaption></figure>



<p>The malware will attempt to hide its Process ID (PID) and any related network ports. This is achieved by writing the frameworks running PIDs to two files: <em><code>hpi</code></em> and <em><code>hpo</code></em>. These files are parsed and then the existence of the file <em><code>proc/y.y</code> </em>is checked. If the file exists, it means that a rootkit has been installed. The PIDs are written to <em><code>proc/y.y</code> </em>for use by the rootkit, which may scrub any reference to files running in the framework from commands such as <em><code>ps</code> </em>and <em><code>netstat</code></em>.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="928" height="734" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/9-indication-of-rootkit.png" alt="" class="wp-image-27214" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/9-indication-of-rootkit.png 928w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/9-indication-of-rootkit-300x237.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/9-indication-of-rootkit-768x607.png 768w " sizes="(max-width: 928px) 100vw, 928px" /><figcaption>Writing PID to <em>proc/y.y </em>if it exists (Indication that rootkit exists)</figcaption></figure>



<p>The core module will generate a GUID in the same manner as the downloader and contact the C2. The response is parsed and the command is executed. The core module has the following commands:</p>



<figure class="wp-block-table"><table><tbody><tr><td class="has-text-align-left" data-align="left"><strong>Command</strong></td><td class="has-text-align-left" data-align="left"><strong>Description</strong></td></tr><tr><td class="has-text-align-left" data-align="left">SystemInfo</td><td class="has-text-align-left" data-align="left">Fingerprints the machine</td></tr><tr><td class="has-text-align-left" data-align="left">PureShellCommand</td><td class="has-text-align-left" data-align="left">Runs Shell command</td></tr><tr><td class="has-text-align-left" data-align="left">RunShellPure</td><td class="has-text-align-left" data-align="left">Starts the <em>Linux.Plugin.Lightning.Sshd</em> (SSH Daemon) plugin</td></tr><tr><td class="has-text-align-left" data-align="left">CloseShellPure</td><td class="has-text-align-left" data-align="left">Terminates the <em>Linux.Plugin.Lightning.Sshd </em>plugin</td></tr><tr><td class="has-text-align-left" data-align="left">Disconnect</td><td class="has-text-align-left" data-align="left">Exits the Core module</td></tr><tr><td class="has-text-align-left" data-align="left">GetRemotePathInfo</td><td class="has-text-align-left" data-align="left">Collects the summary of given path</td></tr><tr><td class="has-text-align-left" data-align="left">KeepAlive</td><td class="has-text-align-left" data-align="left">No action, connection remains alive</td></tr><tr><td class="has-text-align-left" data-align="left">UploadFileHeader</td><td class="has-text-align-left" data-align="left">Checks access of file</td></tr><tr><td class="has-text-align-left" data-align="left">FileEdit</td><td class="has-text-align-left" data-align="left">Gets contents of file and time meta</td></tr><tr><td class="has-text-align-left" data-align="left">TryPassSSH</td><td class="has-text-align-left" data-align="left">Adds a public key to the <em>root/.ssh/authorized_keys</em> file</td></tr><tr><td class="has-text-align-left" data-align="left">DeleteVecFile</td><td class="has-text-align-left" data-align="left">Deletes the specified file or path</td></tr><tr><td class="has-text-align-left" data-align="left">PreDownloadFile</td><td class="has-text-align-left" data-align="left">Calculates a checksum of the file</td></tr><tr><td class="has-text-align-left" data-align="left">DownloadFile</td><td class="has-text-align-left" data-align="left">Sends a file to the C2</td></tr><tr><td class="has-text-align-left" data-align="left">DeleteGuid</td><td class="has-text-align-left" data-align="left">Removes the framework</td></tr><tr><td class="has-text-align-left" data-align="left">UpdateVersion</td><td class="has-text-align-left" data-align="left">Calls the Downloader module to update the framework</td></tr><tr><td class="has-text-align-left" data-align="left">UpdateRemoteVersion</td><td class="has-text-align-left" data-align="left">Updates the framework including the downloader</td></tr><tr><td class="has-text-align-left" data-align="left">Socks5</td><td class="has-text-align-left" data-align="left">Sets up a Socks5 proxy</td></tr><tr><td class="has-text-align-left" data-align="left">RestorePlug</td><td class="has-text-align-left" data-align="left">The same as <em>UpdateVersion</em></td></tr><tr><td class="has-text-align-left" data-align="left">GetDomainSetting</td><td class="has-text-align-left" data-align="left">Fetches the contents of the malleable C2 configuration file (cpc)</td></tr><tr><td class="has-text-align-left" data-align="left">SetDomainSetting</td><td class="has-text-align-left" data-align="left">Updates the contents of the malleable C2 configuration file (cpc)</td></tr><tr><td class="has-text-align-left" data-align="left">InstallKernelHide</td><td class="has-text-align-left" data-align="left">Fetches the OS release</td></tr><tr><td class="has-text-align-left" data-align="left">RemoveKernelHide</td><td class="has-text-align-left" data-align="left">Removes kernel module</td></tr><tr><td class="has-text-align-left" data-align="left">UpdateKernelVersion</td><td class="has-text-align-left" data-align="left">Removes the kernel module and runs <em>uname -r</em></td></tr><tr><td class="has-text-align-left" data-align="left">OverrideFile</td><td class="has-text-align-left" data-align="left">Overwrites specified file</td></tr><tr><td class="has-text-align-left" data-align="left">UploadFileContent</td><td class="has-text-align-left" data-align="left">Writes data sent from server to file</td></tr><tr><td class="has-text-align-left" data-align="left">LocalPluginRequest</td><td class="has-text-align-left" data-align="left">Either write the LD_PRELOAD rootkit or LKM rootkit</td></tr></tbody></table></figure>



<h2 id="h-network-communication">Network Communication</h2>



<p>Network communication in the Core and Downloader modules are performed over TCP sockets. The data is structured in JSON. The C2 is stored in a polymorphic encoded configuration file that is unique for every single creation. This means that configuration files will not be able to be detected through techniques such as hashes. The key is built into the start of the encoded file.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="1016" height="574" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/10-key-length-config.png" alt="" class="wp-image-27215" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/10-key-length-config.png 1016w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/10-key-length-config-300x169.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/10-key-length-config-768x434.png 768w " sizes="(max-width: 1016px) 100vw, 1016px" /><figcaption>Encoded malleable C2 configuration profile</figcaption></figure>



<figure class="wp-block-image size-full"><img loading="lazy" width="1114" height="1104" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/11-dynamic-x0r.png" alt="" class="wp-image-27216" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/11-dynamic-x0r.png 1114w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/11-dynamic-x0r-300x297.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/11-dynamic-x0r-150x150.png 150w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/11-dynamic-x0r-768x761.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/11-dynamic-x0r-50x50.png 50w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/11-dynamic-x0r-65x65.png 65w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/11-dynamic-x0r-220x218.png 220w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/11-dynamic-x0r-66x66.png 66w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/11-dynamic-x0r-60x60.png 60w " sizes="(max-width: 1114px) 100vw, 1114px" /><figcaption>The dynamic XOR decoding routine&nbsp;</figcaption></figure>



<p>The decoded configuration is structured in JSON. The default configuration in the analyzed sample uses a local IP address <em><code>10.2.22[.]67</code></em> with the port <em><code>33229</code></em>.&nbsp;</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="1124" height="374" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/12-default-config.png" alt="" class="wp-image-27217" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/12-default-config.png 1124w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/12-default-config-300x100.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/12-default-config-768x256.png 768w " sizes="(max-width: 1124px) 100vw, 1124px" /><figcaption>Decoded default configuration</figcaption></figure>



<p>There is a passive mode of communication available if the actor executes the <strong>RunShellPure </strong>command. This starts an SSH service on the infected machine with the <em>Linux.Plugin.Lightning.Sshd </em>plugin. The plugin is an OpenSSH daemon that has hardcoded private and host keys, allowing the attacker to SSH into the machine with their own SSH key, creating a secondary backdoor.&nbsp;</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="1522" height="1024" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/13-hardcoded-keys.png" alt="" class="wp-image-27218" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/13-hardcoded-keys.png 1522w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/13-hardcoded-keys-300x202.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/13-hardcoded-keys-768x517.png 768w " sizes="(max-width: 1522px) 100vw, 1522px" /><figcaption>Hardcoded keys inside the modified OpenSSH daemon</figcaption></figure>



<h2 id="h-summary">Summary</h2>



<p>The Lightning Framework is an interesting malware as it is not common to see such a large framework developed for targeting Linux. Although we do not have all the files, we can infer some of the missing functionality based on strings and code of the modules that we do possess. Soon we will release a another blog about detection opportunities for Lightning Framework using osquery. </p>



<p><em>We would like to extend a huge thanks to our friends and partners at IBM and SentinelOne for their help during investigating this threat.</em></p>



<h2 id="h-iocs-for-lightning-framework">IOCs for Lightning Framework</h2>



<h3><strong>Hashes</strong></h3>



<figure class="wp-block-table"><table><tbody><tr><td class="has-text-align-left" data-align="left"><strong>File</strong></td><td class="has-text-align-left" data-align="left"><strong>SHA256</strong></td></tr><tr><td class="has-text-align-left" data-align="left">Lightning.Downloader</td><td class="has-text-align-left" data-align="left"><a href="https://analyze.intezer.com/files/48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7" target="_blank" rel="noreferrer noopener">48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7</a></td></tr><tr><td class="has-text-align-left" data-align="left">Lightning.Core</td><td class="has-text-align-left" data-align="left"><a href="https://analyze.intezer.com/files/fd285c2fb4d42dde23590118dba016bf5b846625da3abdbe48773530a07bcd1e" target="_blank" rel="noreferrer noopener">fd285c2fb4d42dde23590118dba016bf5b846625da3abdbe48773530a07bcd1e</a></td></tr><tr><td class="has-text-align-left" data-align="left">Linux.Plugin.Lightning.Sshd</td><td class="has-text-align-left" data-align="left"><a href="https://analyze.intezer.com/files/ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237" target="_blank" rel="noreferrer noopener">ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237</a></td></tr></tbody></table></figure>



<h3>Sigma Detection Rules</h3>



<pre class="wp-block-prismatic-blocks"><code class="language-">title: Lightning Framework File Path
status: experimental
description: Detects creation of files related to Lightning Framework.
author: Intezer
references:
   - https://www.intezer.com
logsource:
   product: linux
   category: file_create
detection:
   selection1:
      TargetFilename|startswith:
         - &#039;/usr/lib64/seahorses/&#039;
   selection2:   
      TargetFilename|contains:
         - &#039;kbioset&#039;
         - &#039;cpc&#039;
         - &#039;kkdmflush&#039;
         - &#039;soss&#039;
         - &#039;sshod&#039;
         - &#039;nethoogs&#039;
         - &#039;iftoop&#039;
         - &#039;iptraof&#039;
   condition: selection1 and selection2
falsepositives:
   - Unknown.</code></pre>



<pre class="wp-block-prismatic-blocks"><code class="language-">title: Lightning Default C2 Communication
status: experimental
description: Detects communication to default local ip for Lightning Framework
author: Intezer
references:
  - https://intezer.com
logsource:
  category: firewall
detection:
  select_outgoing:
    dst_ip: 10.2.22.67
    dst_port: 33229
  condition: select_outgoing
falsepositives:
  - Unknown. </code></pre>



<h3><strong>MITRE ATT&amp;CK</strong></h3>



<figure class="wp-block-table"><table><tbody><tr><td class="has-text-align-left" data-align="left"><strong>Tactic</strong></td><td class="has-text-align-left" data-align="left"><strong>Technique</strong></td><td class="has-text-align-left" data-align="left"><strong>ID</strong></td><td class="has-text-align-left" data-align="left"><strong>Description</strong></td></tr><tr><td class="has-text-align-left" data-align="left">Persistence</td><td class="has-text-align-left" data-align="left">Boot or Logon Initialization Scripts</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1037/">T1037</a></td><td class="has-text-align-left" data-align="left">An init.d script is used for persistence of downloader module</td></tr><tr><td class="has-text-align-left" data-align="left">Persistence</td><td class="has-text-align-left" data-align="left">SSH Authorized Keys</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1098/004/">T1098.004</a></td><td class="has-text-align-left" data-align="left">SSH keys can be added to the <em>authorized_keys </em>file</td></tr><tr><td class="has-text-align-left" data-align="left">Defense Evasion</td><td class="has-text-align-left" data-align="left">Obfuscated Files or Information</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1027/">T1027</a></td><td class="has-text-align-left" data-align="left">The C2 profile is encoded on disk</td></tr><tr><td class="has-text-align-left" data-align="left">Defense Evasion</td><td class="has-text-align-left" data-align="left">Deobfuscate/Decode Files or Information</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1140/">T1140</a></td><td class="has-text-align-left" data-align="left">The C2 profile is decoded with a dynamic XOR algorithm</td></tr><tr><td class="has-text-align-left" data-align="left">Defense Evasion</td><td class="has-text-align-left" data-align="left">Hide Artifacts</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1564/">T1564</a></td><td class="has-text-align-left" data-align="left">Many artifacts are hidden including ports, PIDs, and file timestamps</td></tr><tr><td class="has-text-align-left" data-align="left">Defense Evasion</td><td class="has-text-align-left" data-align="left">Masquerading</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1036/">T1036</a></td><td class="has-text-align-left" data-align="left">Many files are masqueraded as other files or tasks</td></tr><tr><td class="has-text-align-left" data-align="left">Defense Evasion</td><td class="has-text-align-left" data-align="left">Rootkit</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1014/">T1014</a></td><td class="has-text-align-left" data-align="left">LKM and LD_PRELOAD rootkits are used</td></tr><tr><td class="has-text-align-left" data-align="left">Defense Evasion</td><td class="has-text-align-left" data-align="left">Timestomp</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1070/006/">T1070.006</a></td><td class="has-text-align-left" data-align="left">Files created by Lightning are modified to match that of other utilities</td></tr><tr><td class="has-text-align-left" data-align="left">Defense Evasion</td><td class="has-text-align-left" data-align="left">File Deletion</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1070/004/">T1070.004</a></td><td class="has-text-align-left" data-align="left">The framework has the ability to remove itself</td></tr><tr><td class="has-text-align-left" data-align="left">Discovery</td><td class="has-text-align-left" data-align="left">File and Directory Discovery</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1083/">T1083</a></td><td class="has-text-align-left" data-align="left">The framework can list files and directories on infected systems</td></tr><tr><td class="has-text-align-left" data-align="left">Discovery</td><td class="has-text-align-left" data-align="left">Network Service Discovery</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1046/">T1046</a></td><td class="has-text-align-left" data-align="left">Multiple plugins can be used to perform network service discovery</td></tr><tr><td class="has-text-align-left" data-align="left">Discovery</td><td class="has-text-align-left" data-align="left">Network Sniffing</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1040/">T1040</a></td><td class="has-text-align-left" data-align="left">Multiple plugins can be used to perform network sniffing</td></tr><tr><td class="has-text-align-left" data-align="left">Discovery</td><td class="has-text-align-left" data-align="left">System Information Discovery</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1082/">T1082</a></td><td class="has-text-align-left" data-align="left">Lightning can perform detailed system fingerprinting</td></tr><tr><td class="has-text-align-left" data-align="left">Command and Control</td><td class="has-text-align-left" data-align="left">Data Encoding</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1132/">T1132</a></td><td class="has-text-align-left" data-align="left">Data from the C2 is encoded</td></tr><tr><td class="has-text-align-left" data-align="left">Command and Control</td><td class="has-text-align-left" data-align="left">Non-Application Layer Protocol</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1095/">T1095</a></td><td class="has-text-align-left" data-align="left">Communication with the C2 is performed over TCP</td></tr><tr><td class="has-text-align-left" data-align="left">Command and Control</td><td class="has-text-align-left" data-align="left">Proxy</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1090/">T1090</a></td><td class="has-text-align-left" data-align="left">The framework has the ability to start a Socks5 proxy</td></tr><tr><td class="has-text-align-left" data-align="left">Command and Control</td><td class="has-text-align-left" data-align="left">Exfiltration Over C2 Channel</td><td class="has-text-align-left" data-align="left"><a href="https://attack.mitre.org/techniques/T1041/">T1041</a></td><td class="has-text-align-left" data-align="left">Data can be exfiltrated</td></tr></tbody></table></figure>
<div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/06/Screenshot_20210616-173955_Photos-e1623935903273-60x60.jpg" class="user-photo"><div class="user-bio"><strong> Ryan Robinson</strong><div class="share-author"></div><p>Ryan is a security researcher analyzing malware and scripts. Formerly, he was a researcher on Anomali's Threat Research Team.</p></div></div><div class="post-tags"> <a href="https://www.intezer.com/tag/lightning-framework/" rel="tag">Lightning Framework</a> <a href="https://www.intezer.com/tag/linux/" rel="tag">Linux</a> <a href="https://www.intezer.com/tag/malware-analysis/" rel="tag">Malware Analysis</a> <a href="https://www.intezer.com/tag/research/" rel="tag">Research</a></div><nav class="post-nav clearfix"><div class="prev-post"><a href="https://www.intezer.com/blog/incident-response/autonomous-secop-virtual-tier-1-soc-team/" rel="prev"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/incident-response/autonomous-secop-virtual-tier-1-soc-team/" rel="prev">&#x1f680; Launching Autonomous SecOps (Your Virtual, Algorithm-Driven Tier 1 SOC Team)</a></h4></div></div><div class="next-post"></div></nav>        <div class="related-posts">
            <h3>Recommended Articles</h3>
            <ul class="row related-cont">
                    	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/OrBit-malware-blog-cover-graphic-1-253x139.png" alt="OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 10</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/">OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Linux is a popular operating system for servers and cloud infrastructures, and as such...</span>	
                    <span class="post-date">6 July 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/research/new-linux-threat-symbiote/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-linux-threat-intezer-blog-graphic-1024x475px-253x139.png" alt="Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 12</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/research/new-linux-threat-symbiote/">Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Symbiote is a new Linux® malware we discovered that acts in a parasitic nature,...</span>	
                    <span class="post-date">9 June 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/04/BlogCover_1024x475-253x139.png" alt="Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations " class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 9</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/">Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations </a>
                    </h4>
					
						
				                    <span class="post-excerpt">A recently developed malware framework called Elephant is being delivered in targeted spear phishing...</span>	
                    <span class="post-date">4 April 2022</span>
        		</li>
        	            </ul>
        </div>
</div></div><div class="col-md-1"></div></div>
		    </div>
			
		
	    </div>
		

    </div>

<script>

	
$(document).ready(function() {
	$('.form-title').val('Subscribe to Blog Side');
	    $('div.single-post-page').find('a').addClass('blog-text-link');


	
	  $("input.email").focus(function() {
          $(".cf-field").addClass("show");
        });

	 $( "div.btn-sub-show" ).click(function() {
$("div.blog-side-subscribe").addClass("show");
});

		
		 var blogbtn = $('div.blog-side-subscribe').offset();

    var $window = $(window);
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
//$("div.blog-side-subscribe").removeClass("show");
        }
    
    $window.scroll(function() {
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
	//$("div.blog-side-subscribe").removeClass("show");
        }
		
    });			
});  
   

    </script>
<footer>
            <div class="container">
                <div class="row">
					<div class="footer-logo-cont"><img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/intezer-logo-b.png" alt="intezer footer logo" width="95" height="24" title="" class="footer-logo">
						<div class="social footer-right">
                            <ul>
<li><a href="https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ?view_as=subscriber" target="_blank"><i class="fa fa-youtube" aria-hidden="true" title="youtube"></i></a></li>
								<li><a href="https://www.facebook.com/IntezerLabs/" target="_blank"><i class="fa fa-facebook" aria-hidden="true" title="facebook"></i></a></li>
								 <li><a href="https://www.linkedin.com/company/intezer-labs" target="_blank"><i class="fa fa-linkedin" aria-hidden="true" title="Linkedin"></i></a></li>
                                <li><a href="https://twitter.com/intezerlabs" target="_blank"><i class="fa fa-twitter" aria-hidden="true" title="twitter"></i></a></li>
 								<li><a href="https://www.intezer.com/feed/"><i class="fa fa-rss" aria-hidden="true" title="RSS"></i></a></li>
                            </ul>
                        </div>
					</div>

                    <div class="footer-left">
						
                        <ul id="menu-footer-1" class="footer-1"><li id="menu-item-20981" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20981 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Solutions </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-1453" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-1453 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Autonomous SecOps</a></li>
	<li id="menu-item-12276" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-12276 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Cloud Workload Protection</a></li>
</ul>
</li>
<li id="menu-item-213" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-213 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15963" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15963 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-2061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2061 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15892" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15892 nav-item"><a class="nav-link" href="https://support.intezer.com/hc/en-us">Docs &#038; API</a></li>
	<li id="menu-item-21934" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21934 nav-item"><a class="nav-link" href="https://www.intezer.com/security/">Security</a></li>
</ul>
</li>
<li id="menu-item-20982" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20982 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-215" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-215 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-216" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-216 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-7169" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7169 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7168" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7168 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-7167" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7167 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-events/">Events</a></li>
	<li id="menu-item-8418" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8418 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
</ul>                    </div>
					
	
                </div>
            </div>
			
        </footer>
        <div id="credit">
            <div class="container">
                <div>
               
                © Intezer.com 2022 All rights reserved					 
                        <ul id="menu-footer-2" class="footer-2"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.intezer.com/terms-of-use/">Terms of Use</a></li>
<li id="menu-item-222" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-privacy-policy menu-item-222"><a href="https://www.intezer.com/privacy/">Privacy Policy</a></li>
</ul>
                </div> 
						
            </div>       
        </div>

        <script type="text/javascript">
	$(window).scroll(function() {
    var nav = $('#main-menu');
    var toppopheight = $('#top-bar-spacer').height();
    var top = 130;
    if ($(window).scrollTop() >= top) {
        nav.addClass('botborder');
if(toppopheight>0)
   {nav.css({ top: toppopheight+12 });}
		
    } else {
        nav.removeClass('botborder');
     nav.css({ top: 0 });
    }
});
</script>
	   <script   type='text/javascript' src='https://c0.wp.com/c/6.0.1/wp-includes/js/dist/vendor/regenerator-runtime.min.js' id='regenerator-runtime-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/6.0.1/wp-includes/js/dist/vendor/wp-polyfill.min.js' id='wp-polyfill-js'></script>
<script type='text/javascript' id='contact-form-7-js-extra'>
/* <![CDATA[ */
var wpcf7 = {"api":{"root":"https:\/\/www.intezer.com\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.6' id='contact-form-7-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/dynamicconditions/Public/js/dynamic-conditions-public.js?ver=1.6.0' id='dynamic-conditions-js'></script>
<script type='text/javascript' id='leadin-script-loader-js-js-extra'>
/* <![CDATA[ */
var leadin_wordpress = {"userRole":"visitor","pageType":"post","leadinPluginVersion":"8.13.58"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://js.hs-scripts.com/5492986.js?integration=WordPress&#038;ver=8.13.58' async defer id='hs-script-loader'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/lib/highlight/js/highlight-core.js?ver=3.1.1' id='prismatic-highlight-js'></script>
<script   type='text/javascript' id='prismatic-highlight-js-after'>
hljs.highlightAll();
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/tether.min.js?ver=a64767dca95350331dd63d1543147965' id='tether_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/bootstrap.min.js?ver=a64767dca95350331dd63d1543147965' id='bootstrap_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/main.js?ver=a64767dca95350331dd63d1543147965' id='intezer-main-scripts-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/external/simplebar.js?ver=4751' id='wd-asl-scroll-simple-js'></script>
<script   type='text/javascript' id='wd-asl-ajaxsearchlite-js-before'>
window.ASL = typeof window.ASL !== 'undefined' ? window.ASL : {}; window.ASL.wp_rocket_exception = "DOMContentLoaded"; window.ASL.ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.backend_ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.js_scope = "jQuery"; window.ASL.asl_url = "https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/"; window.ASL.detect_ajax = 0; window.ASL.media_query = 4751; window.ASL.version = 4751; window.ASL.pageHTML = ""; window.ASL.additional_scripts = [{"handle":"wd-asl-scroll-simple","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/external\/simplebar.js","prereq":false},{"handle":"wd-asl-ajaxsearchlite","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-prereq.js","prereq":[]},{"handle":"wd-asl-ajaxsearchlite-core","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-core.js","prereq":[]},{"handle":"wd-asl-ajaxsearchlite-vertical","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-results-vertical.js","prereq":["wd-asl-ajaxsearchlite"]},{"handle":"wd-asl-ajaxsearchlite-load","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-load.js","prereq":["wd-asl-ajaxsearchlite-vertical"]}]; window.ASL.script_async_load = false; window.ASL.scrollbar = true; window.ASL.css_async = false; window.ASL.js_retain_popstate = 0; window.ASL.highlight = {"enabled":false,"data":[]}; window.ASL.fix_duplicates = 1; window.ASL.analytics = {"method":0,"tracking_id":"","string":"?ajax_search={asl_term}","event":{"focus":{"active":1,"action":"focus","category":"ASL","label":"Input focus","value":"1"},"search_start":{"active":0,"action":"search_start","category":"ASL","label":"Phrase: {phrase}","value":"1"},"search_end":{"active":1,"action":"search_end","category":"ASL","label":"{phrase} | {results_count}","value":"1"},"magnifier":{"active":1,"action":"magnifier","category":"ASL","label":"Magnifier clicked","value":"1"},"return":{"active":1,"action":"return","category":"ASL","label":"Return button pressed","value":"1"},"facet_change":{"active":0,"action":"facet_change","category":"ASL","label":"{option_label} | {option_value}","value":"1"},"result_click":{"active":1,"action":"result_click","category":"ASL","label":"{result_title} | {result_url}","value":"1"}}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-prereq.js?ver=4751' id='wd-asl-ajaxsearchlite-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-core.js?ver=4751' id='wd-asl-ajaxsearchlite-core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-results-vertical.js?ver=4751' id='wd-asl-ajaxsearchlite-vertical-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-load.js?ver=4751' id='wd-asl-ajaxsearchlite-load-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-wrapper.js?ver=4751' id='wd-asl-ajaxsearchlite-wrapper-js'></script>
<script type='text/javascript' id='wpcf7cf-scripts-js-extra'>
/* <![CDATA[ */
var wpcf7cf_global_settings = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/js/scripts.js?ver=2.2' id='wpcf7cf-scripts-js'></script>
<script   type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD&#038;ver=3.0' id='google-recaptcha-js'></script>
<script type='text/javascript' id='wpcf7-recaptcha-js-extra'>
/* <![CDATA[ */
var wpcf7_recaptcha = {"sitekey":"6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD","actions":{"homepage":"homepage","contactform":"contactform"}};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.6' id='wpcf7-recaptcha-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/js/prod/lib.core.js?ver=2.8.1' id='slb_core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/js/prod/lib.view.js?ver=2.8.1' id='slb_view-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/themes/baseline/js/prod/client.js?ver=2.8.1' id='slb-asset-slb_baseline-base-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/themes/default/js/prod/client.js?ver=2.8.1' id='slb-asset-slb_default-base-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/template-tags/item/js/prod/tag.item.js?ver=2.8.1' id='slb-asset-item-base-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/template-tags/ui/js/prod/tag.ui.js?ver=2.8.1' id='slb-asset-ui-base-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/content-handlers/image/js/prod/handler.image.js?ver=2.8.1' id='slb-asset-image-base-js'></script>
<script type="text/javascript" id="slb_footer">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB && SLB.has_child('View.init') ) { SLB.View.init({"ui_autofit":true,"ui_animate":true,"slideshow_autostart":false,"slideshow_duration":"6","group_loop":true,"ui_overlay_opacity":"0.8","ui_title_default":false,"theme_default":"slb_default","ui_labels":{"loading":"Loading","close":"Close","nav_next":"Next","nav_prev":"Previous","slideshow_start":"Start slideshow","slideshow_stop":"Stop slideshow","group_status":""}}); }
if ( !!window.SLB && SLB.has_child('View.assets') ) { {$.extend(SLB.View.assets, {"1046471143":{"id":27206,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2022\/07\/1-Lightning-framework-new-linux-threat.jpg","title":"1 Lightning framework new linux threat","caption":"","description":""},"430432276":{"id":27207,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2022\/07\/2-lightning-framework-downloader-analysis.png","title":"2 lightning framework downloader analysis","caption":"","description":""},"1334702485":{"id":27212,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2022\/07\/7-initd-script-and-service.png","title":"7 initd script and service","caption":"","description":""}});} }
/* THM */
if ( !!window.SLB && SLB.has_child('View.extend_theme') ) { SLB.View.extend_theme('slb_baseline',{"name":"Baseline","parent":"","styles":[{"handle":"base","uri":"https:\/\/www.intezer.com\/wp-content\/plugins\/simple-lightbox\/themes\/baseline\/css\/style.css","deps":[]}],"layout_raw":"<div class=\"slb_container\"><div class=\"slb_content\">{{item.content}}<div class=\"slb_nav\"><span class=\"slb_prev\">{{ui.nav_prev}}<\/span><span class=\"slb_next\">{{ui.nav_next}}<\/span><\/div><div class=\"slb_controls\"><span class=\"slb_close\">{{ui.close}}<\/span><span class=\"slb_slideshow\">{{ui.slideshow_control}}<\/span><\/div><div class=\"slb_loading\">{{ui.loading}}<\/div><\/div><div class=\"slb_details\"><div class=\"inner\"><div class=\"slb_data\"><div class=\"slb_data_content\"><span class=\"slb_data_title\">{{item.title}}<\/span><span class=\"slb_group_status\">{{ui.group_status}}<\/span><div class=\"slb_data_desc\">{{item.description}}<\/div><\/div><\/div><div class=\"slb_nav\"><span class=\"slb_prev\">{{ui.nav_prev}}<\/span><span class=\"slb_next\">{{ui.nav_next}}<\/span><\/div><\/div><\/div><\/div>"}); }if ( !!window.SLB && SLB.has_child('View.extend_theme') ) { SLB.View.extend_theme('slb_default',{"name":"Default (Light)","parent":"slb_baseline","styles":[{"handle":"base","uri":"https:\/\/www.intezer.com\/wp-content\/plugins\/simple-lightbox\/themes\/default\/css\/style.css","deps":[]}]}); }})})(jQuery);}/* ]]> */</script>
<script type="text/javascript" id="slb_context">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB ) { {$.extend(SLB, {"context":["public","user_guest"]});} }})})(jQuery);}/* ]]> */</script>
		<script type="text/javascript">
			(function() {
			var t   = document.createElement( 'script' );
			t.type  = 'text/javascript';
			t.async = true;
			t.id    = 'gauges-tracker';
			t.setAttribute( 'data-site-id', '5fd5ade352684d3c97554910' );
			t.src = '//secure.gaug.es/track.js';
			var s = document.getElementsByTagName( 'script' )[0];
			s.parentNode.insertBefore( t, s );
			})();
		</script>
		<script src='https://stats.wp.com/e-202229.js' defer></script>
<script>
	_stq = window._stq || [];
	_stq.push([ 'view', {v:'ext',j:'1:11.2-a.5',blog:'186808338',post:'27200',tz:'-4',srv:'www.intezer.com',hp:'atomic',ac:'3',amp:'0'} ]);
	_stq.push([ 'clickTrackerInit', '186808338', '27200' ]);
</script>
<noscript><link rel="stylesheet" href="https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=11.2-a.5" media="all" /></noscript>
<div id="top-bar-spacer"><div id="top-bar"><span class="desktop-title">Launching Autonomous SecOps: Your Virtual, Algorithm-Driven Tier 1 SOC Team</span><span class="mobile-title">Launching Autonomous SecOps: Your Virtual, Algorithm-Driven Tier 1 SOC Team</span>&nbsp;<a class="top-bar-link" href="https://www.intezer.com/blog/incident-response/autonomous-secop-virtual-tier-1-soc-team/">Learn more</a></div></div>        
        <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 842858921; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/842858921/?guid=ON&amp;script=0"/> </div> </noscript>

<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/5492986.js"></script>

<script>
  window.addEventListener('load', function() {

    if (window.location.pathname == '/create-account/created') {
      gtag('event', 'conversion', {
        'send_to': 'AW-725468766/6LItCJ7G_awDEN6M99kC'
      });

    }



  });

</script>

    </body>
</html>
<!--
	generated 82 seconds ago
	generated in 0.682 seconds
	served from batcache in 0.001 seconds
	expires in 218 seconds
-->
